B2B and B2C: How to Balance the Difference and Challenges of Each Environment
Issue/Topic: B2B & B2C: How to Balance the Differences and Challenges of Each Environment (T1B)
Convener: Rainer Hoerbe
Notes-taker(s): Gary Moore
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
The discussion was based around how to create an environment to handle the complexities of dealing with business-citizen and business-business transactions.
From an Austrian perspective
- Internal govt federation program
- Had a unsuccessful national citizen PKI. Based national identity that is moving towards a SMS based solution but uptake still unknown
- Challenges - privacy
- B2b privacy less important to ensure audit ability
- B2c more important for privacy
NIH federation within US govt. starting with PIV. 80% of business is outside govt - currently Incommon to universities. NLM 15000 users - no cross correlation - authorization is delegated to relying party
NIH does not want to be in the business of a credential provider In Austria centralized data allows higher assurance of identity - legislatively driven with benefit of small population - 8 million
NLM can use multiple LOA (levels of assurance) as well as multiple IDPs
There is a concern with Credential strength versus strength of identity proofing
Stepping up levels of assurance - how to do that?
- Use of organizations like Lexus, Axiom, Equifax for information that can better identify the user
NIH Delegates risk to the companies and universities that they are dealing with
How to manage the separation of attribute definitions - use a common data dictionary or create a mapping service?
Austrian view - NIST is concerned with providing identity to RP - Austrian concern adds on making sure info only goes to the user - European privacy legislation requirement
How do we come up with appropriate definitions of LOA - need better guidelines for the definitions.
Within NIH NLM program In common level 1-2, also using 3 and 4 through PKI as well as OpenID for level 1
How to create international common definitions of LOA? Companies like Paypal are global but definitions of LOA are currently environment specific
TSCP program to issue credentials to the machines that are assured to be trustworthy. In Austria a similar thing for web infrastructure elements. For TSCP they are extending that to leverage trusted platform to ensure long term proper configuration of the environment.